Security

This document aims to explore in depth the security considerations around Mir based compositors.

Threat Model

Mir is a C++ library for building compositors, not a product itself. As such, when discussing the threat model for Mir, it is useful to discuss it in terms of an actual product that is built on Mir. With this in mind, we will define the threat model of Ubuntu Frame in this document.

Ubuntu Frame Threat Model Diagram

Ubuntu Frame is published as a snap. As such, the threat model for frame assumes that the snap is secure, and proceeds to outline the frame snap’s interactions with the outside world.

        %%{ init: { 'flowchart': { 'curve': 'monotoneY' } } }%%
flowchart
    shell((Mir-based Shell))
    vnc_server(VNC Server)
    vnc_client(VNC Client)
    osk(On-screen Keyboard)
    snapd(Snapd)
    operator_app(Operator App)
    user(User)
    display(Display)
    app(App)

    subgraph snap [Snap]
        vnc_server--input-->shell
        shell--screen content-->vnc_server

        osk--content/input-->shell
        shell--input-->osk
    end
    
    shell--contents/configuration--->display
    snapd--configuration-->shell
    display--visuals-->user
    operator_app--help message-->shell
    user--input events-->shell
    display--properties-->shell
    vnc_server<--vnc-->vnc_client
    app--window contents-->shell
    shell--input/window management-->app

    classDef boundary fill:none,stroke-dasharray: 5 5
    snap:::boundary
    

Cryptography

There is no cryptography used in Mir, no direct dependency on en/decryption, hashing or digital signatures.